Is desktop anti-virus dead? Someday I'd love to make that announcement, but it still feels to me that there's a Patron Saint of Voodoo with an affinity for bringing it back to life — like some macabre mirror image of the malicious zombies it's supposed to provide protection against.

It's kind of ironic that today's innovation in desktop anti-virus isn't really happening at the desktop; rather it's occurring in the cloud. Today, the best performing desktop anti-virus products pass copies of suspicious files and URL's up to their vendors cloud for detailed analysis and, in response, down comes a diagnostic of the file that was analyzed. Several vendors have been doing this for a number of years, but have only recently been promoting the "cloud" part. Apparently people are more comfortable with the cloud nowadays — go figure.

What advantages are there to using the "cloud" for anti-virus protection? Here are just a few that I've pulled from various literature I happened to come across:

Scalability – the ability to keep pace with the ever-increasing volume of new malware.

Efficiency – instead of analyzing the same piece of malware on ten thousand desktop computers, why not do it just once?

Improved engines – there's only so much technology you can push down to a desktop. Advanced malware detection needs sophisticated automated analysis and dissection technologies that are too big to run side-by-side with Microsoft Excel.

Global visibility – there are numerous advantages in being able to see a new piece of malware early on in its lifecycle. Having thousands or millions of "sensors" (i.e. customer deployments) means that there's a steady flood of timely material to analyze.

Hidden within these anti-malware analysis clouds lie each vendor's latest innovations. That said, at the end of the day we're still talking about desktop anti-virus as a protection platform — with a software component installed upon the customer's (aka "victims") computer — which is worth a gripe all of its own. In a nutshell though, desktop anti-virus suffers from three critical problems:

Desktop anti-virus runs upon a desktop operating system, side by side other applications. There are too many ways in which the attacker can inject their malware onto the victim's computer and slip under the anti-virus product's protective gaze.

The bad guys have access to all these products and simply QA their latest malware samples to ensure that it evades. The malware they send out has already been proven to evade detection.

If the bad guys have physical access to your protection technology, they'll always be able to subvert and evade it.

An obvious remedy to these problems is to remove the protection elements from the bad guys grasp. In particular, move it off the desktop.

Despite the obvious advantages of using the cloud for malware analysis, I find it stupefying that some folks have only taken a half-way step in moving off the desktop and onto a dedicated network appliance — without making the logical leap to cloud-based malware analysis.

To be sure, there are a lot of products on the market that specialize in in-situ automated malware analysis. Earlier this year I discussed the canned sandboxing techniques that various vendors supply and a more detailed side-by-side comparison of the various Next Generation Anti-Virus [PDF] products. But, at the end of the day, why oh why would you want to run poisonous, evasive and downright dangerous criminal (and state-sponsored) malware inside your own organization's network? It's like setting off fireworks while you're still indoors!

Luckily, over the last couple of weeks though there's been substantial advancement in this area. Multiple security vendors are now adding advanced cloud-based malware analysis and disassembly to their network protection platforms. Basically augmenting their in-situ network detection systems with real-time advanced malware analysis — and doing it in such a way that it'll scale with the threat, provide the highest detection and analysis capabilities, and do it all without increasing the appliance cost.

Last week Palo Alto Networks (PAN) announced their new WildFire cloud-based anti-malware defenses, and this week Damballa launched their free (included in the latest release of Damballa Failsafe) cloud-based malware analysis platform. (Disclaimer: I am employed by Damballa, Inc.) I'm sure that there will be a handful of additional announcements from other vendors over the next few months.

While cloud-based malware analysis is obviously the way to go in dealing the advanced (and advancing) nature of the threat, I think there are still a bundle of questions that the industry will need to somehow figure out how to answer. In particular, as with most things "cloud", it's often a little foggy as to what's going on behind the scenes.

A key question going forward is going to relate to the apples-to-apples comparisons between the various cloud-based malware analysis platforms and their capabilities in identifying and dissecting the latest threat advances. I suspect that vendors are going to have to open the kimono a little more — perhaps providing insight in to what overriding technologies they employ (e.g. virtual machines, emulators, bare-metal, KVM automation, etc.) when executing their malware analysis and maybe even the pedigree of the folks tasked with supporting and innovating within that cloud framework.

In the future, customers are going to have to figure out which anti-malware cloud is better than the other. In the meantime though, it would appear that Next Generation Anti-Virus is finally proceeding down a path that actually makes an impact on malware-based cybercrime and targeted attacks.

By Gunter Ollmann, CTO at NCC Group Domain Services. More blog posts from Gunter Ollmann can also be read here.

Comments

Conficker was quite good at blocking off user access to various update and AV services, so the CWG's eye chart was a rather interesting way for a user to know he had conficker.

Now, you speak about moving most if not all the protection logic onto the cloud. So - what about users whose internet connectivity is disrupted, either by heavy outbound traffic from a spambot that maxes out his pipe, or by deliberate action taken by the bot to firewall off security vendor IP space ..